Changelog
What we shipped and when. Every release, documented.
v0.7.x
Hardening sweep + admin panel polish
- •Password reset: full token-based ceremony, 30-minute TTL, anti-enumeration
- •Marketing contact form is now live (rate-limited, schema-validated)
- •New /api/health endpoint on the user-app for K8s probes
- •Stronger sign-up password policy (3-of-4 character classes)
- •Session expiry now redirects with a friendly notice instead of failing silently
- •Web app: skip-link, ARIA wiring on auth forms, autocomplete hints
- •Admin: all destructive buttons now gated by client-side RBAC
- •Admin: per-staff mutation rate-limit (stolen-session defence)
- •Admin: refund-partial now tracks cumulative refunded amount
- •PII access log table — every staff read of customer PII is audited
- •TOTP secret encryption-at-rest (env-driven AES-256-GCM)
v0.6.x
Admin panel general availability
- •Full admin panel: dashboard, users, documents, plans, subscriptions, orders, coupons, support tickets, moderation, audit log, ops, reports, settings
- •Staff RBAC across 6 roles with permission-driven gating
- •TOTP enrolment + WebAuthn passkey login for staff
- •Append-only audit log (DB-level triggers)
- •Real-time KPIs on the operations dashboard
v0.5.x
Phase 1 editor stack
- •Block-based editor with 19 block types and 12 inline marks
- •Viewport virtualisation for long documents (100K blocks scroll <4ms)
- •IME (CJK) composition handling
- •Smart-paste with HTML/markdown/URL/code detection
- •XSS-hardened HTML import via DOMPurify
v0.0.1
Initial public beta
- •Local-first document editor with offline support
- •Block-based editing with Markdown shortcuts
- •Real-time sync across devices
- •Document version history
- •Markdown and plain text export
- •Dark and light theme support
- •Marketing site and documentation